Thursday, January 27, 2011

DEFT 6 and VirtualBox: Maybe it’s just me?

 

Just a quick-post.

Recently, the DEFT gang released DEFT Linux 6.  This is the next iteration of the DEFT LiveCD for forensics work.

(I’m continuing to make notes for my promised write-up of Xplico and was hoping to work with the latest LiveCD which includes the updated version of Xplico as well for my post, anyway…)

For some reason, when I downloaded the ISO file and attempted to boot it in the latest 4.0 version releases of VirtualBox on my Windows 7, x64 (Home Premium) system, I only got a black screen.

I checked the MD5 for the ISO and it matched perfectly.  The “burned” CD of the same ISO file would work just fine to boot a physical system…so I was at a loss as to why it wouldn’t work in VirtualBox.

I had allocated 1024MB for the virtual machine, and bumped the video RAM allocated up to 16 MB.

Nothing.

My host system is a Dell Studio 15 (1558) with 4GB RAM and an i7 processor.  Should be able to handle things.

For kicks I tried booting my DEFT 5.1 ISO in the same “ISO Loader” VirutalBox machine and had no issues.  It loaded and ran just fine.  Back to using the DEFT 6 ISO file and nothing.

After a couple of days pondering things, I decided to try disabling “VT-x/AMD-V” & “Nested Paging” under the “Acceleration” tab just for kicks n grins.

image

Guess what?

The DEFT 6 ISO now loaded and was executed just fine by VirtualBox.

image

Probably just an issue with my particular host system but just in case anyone else is scratching their head getting a non-boot of the DEFT 6 ISO in VirtualBox, it might not hurt to try.

I can enable those settings on other virtual machines in VirtualBox and don’t have any issues so maybe it’s just DEFT 6 specific…

Cheers…

Claus V.

Saturday, January 01, 2011

Security and Forensics Watch-List: GSD Linkfest Style

It’s a sign of my busy-ness that most all the links for this first-of-the-year security and forensics linkfest post come from the tail-end of 2010.

I’m emptying all these out to clear the decks.  I’ve promised and need to deliver on the Xplico post that was mentioned some time ago.  These are the last bits that should empty out the “to-blog” hopper so I can turn all focus on that one.

Forensics and PenTest LiveCD News

Land Ahoy! DEFT 6 RC is OUT! - Stefano Fratepietro recently announced the “RC” release of the next DEFT iteration.  I’ve been playing with it and am very impressed with the polish and inclusions.  See his inclusions page to see what is loaded in, and check out the sexy-cool screenshot page for all the glamor and glitz.

CAINE 2.0 Live CD - “NewLight” Edition - Not to be outdone, the other highly-active LiveCD forensics distro CAINE had a final version release a while back.  Also highly updated with a “wax-on, wax-off” super-shine polish.  Check out this PDF version of Caine highlights as seen in Linux Magazine Online.

Katana 2.0 - A multi-boot “LiveUSB” distro from Hack from A Cave also got a November 2010 update. CAINE and Kon-Boot got added alone with some new Windows tools.  Maybe unknown to some, it also packs the Katana Tool Kit, based on a PortableApps launcher.  Like other distros, it provides a convenient manner to launch Windows-based tools from a nicely organized menu if using the tool in a Windows environment; rather than using one of the included distros to boot a system.

BackTrack Linux 4 R2 - The venerable penetration testing distribution packs a mean wallop!  You might want to look at both their Forensics page to find some features that might be useful. Also stop in on this SecurityOrb blog-post: BackTrack 4 Tutorials, Manuals and Howtos full of good resources.

Windows Forensic Environment Blog by Brett Shavers covers all things in the WinFE world.  Check out this wonderful post Updated video and other things to get a quick review on how the WinFE build it constructed.  Meanwhile we wait patiently for his magnum-opus WinBuilder based - WinFE creation tool to get released.

The Reading List

Windows Incident Response: Stuff - Great info on timeline thoughts from Harlan Carvey.

Reviewing Timelines with Excel - Journey Into Incident Response - Really great takeaway from Corey Harrell hopped to via Harlan’s post above.

Memory Analysis with Mandiant Memoryze - Digital Forensics How-To from the SANS Computer Forensics & Incident Response blog.  See also their post Persistence Registry keys.

The Digital Standard: The “Not So” Perfect Keylogger - cepogue has provided an interesting keylogger breakdown with lots of cross-response application.

JL’s stuff: Identifying Memory Images - In case you get an image with no clear information as to what system OS it was running under.

Open Source Digital Forensics - Bookmark this site to keep an eye on old and new tools in the Open Source forensic area.  Tools, paper, procedures and some test-image links available.

Derek Newton « Information Security Insights - Not really sure how I ended up exactly on Derek’s site but it is a gem.  Not only has he collected and organized some really nice Useful Links and Forensic Tools sub-pages, but his posts are always very educational.  For example, two recent posts:

Finally, utility-building guru Nir Sofer offers all a Happy New Year To All NirSoft Users ! and then proceeds to tease us with some possible tools under development for the new year!  Awesome!

Wi-Fi Focus

A quick scan of the Wi-Fi surrounding the Valca home shows a total of 7 Wi-Fi networks with two of them wide-open and completely unsecured.  With really handy freeware tools such as the inSSIDer 2.0 Wi-Fi Scanner or NirSoft’s WirelessNetView or the eye-candy rich Xirrus Wi-Fi Inspector it is easy work finding and locating such things.

In his post How to capture data and passwords of unsecured wireless networks with SniffPass and SmartSniff, Nir Sofer shows just how easy it is to start grabbing data from unsecured networks.

I can’t recommend you test this on any network you don’t own or manage but if you are doing pentesting or an incident response involving a possible rogue Wi-Fi operation inside your network operations area, this could be a very valuable technique in some cases.

You might also find this MakeUseOf post 7 Completely Free VPN Services To Protect Your Privacy helpful.  Just saying…

“All-in-One” Forensic Tool?

At the risk of sounding like a fairly-recent Windows Phone 7 "Really?" TV Commercial (YouTube), I’m always very fascinated when I see a tool that honestly tries very hard to roll-up many “incident response” features into a single package. 

Like all such incident response tools, please understand and use the tools in a structured manner so as to not operate with a false sense of security…and potentially do more harm than good. Specifically, is use part of a larger and structured incident response plan, has the tool been seriously vetted, what key things does it NOT do that must be captured using alternative/supplemental tools?

Case in point just peruse this short-list of thoughts on the complexities of incident response from the pros:

I ponder these things as I saw a new tool mentioned recently in the MakeUseOf site Investigate Or Troubleshoot Computer Systems With OSForensics [Windows]

It outlines a new (currently freeware) “many-in-one” forensic/digital-investigation tool by PassMark Software - OSForensics.

To PassMark’s credit, a look at the features shows it contains a very well rounded selection of components.  I’m not really fussing about the tool or its capabilities here.   I’m sure their target audience for the product are trained and harried professional incident-responder folks.  It is part of a number of tools offered by them, including ones to LiveCD boot a target system to capture an image as well as a tool mount the image file for processing with their OSForensics product.  So there is a unified structure to the tools.  Hopefully users will see these integrated parts and use them correctly in concert to process a system that preserves the integrity (ie, minimal/no write-back) to the target system.  PassMark has provided the toolset package.

I’m just curious how many untrained “incident responders” might jump on this tool based on its capabilities and convenience the first time someone hollers about a breach or incident and tosses this tool at the “live” target system. What will the aftermath be?

Of course, that situation probably occurs each and every day with any number of freely and publically available tools used by both “amateur” and certified professional incident responders alike.

That said, OSForensics rounds up quite a wide-range of useful tools and features into a very well organized and accessible package.  The interface is highly navigable.  I’m sure there are tools here for both the sysadmin-troubleshooter and the incident-responder alike to like and appreciate.  Of special note and appreciation is the offering of several “Hash Set” packages to add to OSForensics when scanning a system to rule-out known system files from suspect files worth closer inspection. It also include a “timeline view” function to provide understanding on system events and activity.

Did I mention that it is offered in both x32 and x64 bit versions? Nice!

PassMark is very active in releasing updates to their beta product so development and improvement of the tool is clearly serious stuff here.

My one “gripe” at this point is the decision to require a full system install first, then from there create a OSForensics - Install OSForensics to a USB Flash Drive build.  I’d rather they take a tip from Piriform and just offer both the full-install or “standalone/zip” packages outright.  It would definitely save time and effort in the updating process considering the frequent update release.  Not a major issue, but something to consider.

Definitely PassMark has brought a handy toolset package to be added to your USB stick for all system admins and incident responders.  I’ve added to to my USB drive.

PassMark also offers some other freeware Tools for OSForensics tools that you may be interested in exploring which round out the full toolset for a response and review:

OSFClone - A freeware “LiveCD” tool to create a dd-based disk-image clone for use with PassMark’s tools (or other tools that support such image files).

OSFMount - Used to mount local disk image files to a drive letter. OSFMount has been released in both x32 and x64 bit versions. (Is it just me or does the drive-mount window look very similar to Olof Lagerkvist’s ImDisk freeware tool?)

image  versus  image.

So if you are comfortable using ImDisk you will be at home with OSFMount as well (if you don’t want to stick with ImDisk for some reason I guess…).

Update: A close reading of the “read-me” file included in the OFSMount package nicely does credit Olof’s ImDisk as the initial base for this utility, thereby explaining the similarity!

ImageUSB - freeware tool to create or write-back images to/from USB flash drives.

Check ‘em all out!  Just deploy wisely.

While looking at Olof Lagerkvist’s ImDisk freeware tool page making sure I wasn’t going crazy with the similarity in GUI, I see he is now offering a seriously updated Beta 1.4.0 version of ImDisk that was released on Dec 7th. Super sweet New Year bonus!

Per Olof’s Update description (bottom of list) for ImDisk Beta 1.4.0, I’m quoting below:

  • Beta release ImDisk Virtual Disk Driver version 1.4.0:
  • Corrected a serious bug that seems to have particularily caused blue screen crashes on 64 bit Windows versions on multi-processor computers. Thanks to Bruce Cran for helping the project with debugging on 64 bit architecture.
  • Graphical user interface, that is Control Panel applet and right-click menu option in Explorer now shows option to add MBR (Master Boot Record) while saving disk contents to image file.
  • Algorithm for selecting default virtual disk geometry (C/H/S geometry) for virtual hard disk volumes changed. From this version, driver will auto-select 255/63/512 geometry in most cases. Only exception from this is when virtual disk is smaller than about 2 GB in which case smaller tracks per cylinder size is choosen. User defined virtual geometry can still be manually selected using command line or API directly.
  • ImDisk source archive now contains a subdirectory called ImDiskNet. This is a .NET dll file which could be used from for example VB.NET or C# to create/modify/delete/save etc virtual disks. This dll also contains a class that can be used as a COM object from VB6 or VBScript etc. This dll is also available for direct download here.
  • 64 bit setup now installs 32 bit imdisk.cpl and imdisk.exe in addition to the usual 64 bit versions. This means that API calls and command line calls will work from 32 bit applications even on 64 bit Windows without tweaking with installing dlls manually in correct directories etc.
  • Updated "devio" tool. This version supports both reading and writing dynamic resizing .vhd files used by Microsoft Virtual PC, Virtual Server and Hyper-V. Earlier version had a serious bug that would corrupt disk image when mounted for both reading and writing.
  • Changed notification that is sent to other applications when a new virtual disk is created. ImDisk does no longer wait for all applications to process the notification. It however still waits for all applications to process the notification that is sent when a virtual disk is about to be deleted.

Did you catch that? Devio got updated as well. For more information see this old GSD post: Devio: Remote drive access and acquisition.

Maybe OSForensics can incorporate Devio in their forensic solution package(s) somehow as well in the future for “agent-based” capture of a remote system from within OSForensics?  Just another suggestion.

From Sweden with Love

Erik Hjelmvik, creator of the beloved NetworkMiner Network Forensic Analysis Tool (NFAT) and Packet Sniffer as well as the SplitCap - open source pcap file splitter also offers his SPID Statistical Protocol IDentification project also for Windows systems.

Erik also recently published an article recently titled Network Neutrality and Protocol Discrimination over at CIO.com that shows the application of his SPID tool.  Neat stuff.

Utils

Two more final utilities worth looking into:

USB Write-Blocker - Document Solutions, Inc.  Freeware tool you run-first before attaching a USB drive to look at.  It promises to prevent OS system write-back to the USB device once attached.  While certainly no substitute for a good, physical Forensic in-line USB WriteBlocker, once “proofed” for effectiveness on your analysis bench-system, it might be good software-based solution in a pinch.

BinPack: 2.0.1 Release - West Coast Hackers.  This “new” package release (actually back from August 2010) updates and rounds out a really cool pentest/security/response toolset manager.  Download the core files, then select, build and download the various independent software binaries from their developers and homepages.  Pick what you want; you can always go back and add/remove more later.

Happy hunting!

--Claus V.

Quick-Tip : Blu-ray tip for Sony SDP-S360

It’s been a long while, but we’ve been thoroughly tickled pink with our BDP-S360 Blu-ray™ Disc Player from Sony.

Quality has been awesome at full HD 1080p and it was a real steal at the price we paid to join the HD/Blu-ray crowd.

Only issue is that when I purchased and played the Blu-ray edition of Leap Year quite some time ago, when it reached a climactic scene near the end of the movie in the pub, I would experience extreme pixilation, playback freeze, and then a crash.  Mashing on the FF button usually kept it alive though the process but would jump to the end of the movie.

I kept looking for reports of bad-disk manufacturing error, but hadn’t found any.  The disk was clean and had no visible scratches or blemishes that might have interfered with play-back as far as I could tell.

So while researching another (unrelated) Blu-ray thing, it struck me that maybe the device codecs/DRM information might need to be updated on the Sony appliance.

I knew from the get-go that the unit came with a Ethernet port and could have the firmware updated either “on-line” or via manual burn & play of a firmware update CD.  When checked, it was sitting on version .002 as loaded at the factory.

I don’t keep it attached to the network so I had to temporarily string my super-long Cat-6 GeekSquad patch cord down the hall to plug in.

Following the on-line information on this Sony eSupport - BDP-S360-specific page, I

About 5-10 minutes later the system powered off after downloading and applying the firmware update.

With Alvis carefully shadowing me and providing additional guidance and encouragement, I powered it back on and re-tested my LeapYear Blu-ray disk and popped over to that chapter section of the disk that always caused the player to bork-out.

Perfect playback.

So, lesson learned, if you have a Blu-ray player and it supports  updating of the firmware, and you are experiencing play-back issues with disks, seriously consider checking your firmware version and update if available.

It might really spare you unnecessary aggravation.

Cheers!

--Claus V.

New Year’s Day - First Post 2011

Same day I came out with my first post after a long drought, I fell upon this article Blogging Seems To Have Peaked, Says Pew Report over at ReadWriteWeb.  According to the study, blogging activity on-line has heavily dropped, while on-line content consumption has continued to grow.  Looking back at my side-bar, I have to confess that my raw content-generation post numbers have declined since my high-water mark in 2007.  However I would like to argue that while volume has decreased, quality has increased slightly.

Of course, the amount of leisure time I have available has also decreased which accounts for much of the decline in GSD posting.  At the same time, I could probably work on being more disciplined with some of my time.  Couple that with our “study” slowly turning into a laundry-room/super-closet of sorts and my blogging desk hidey-hole has disappeared. Yesterday I took down and stored away the Christmas decorations for another year (almost two-weeks early from my usual procrastinations).  This brought on a major re-setting of the living/family room area and I now have a micro-desk area set up there instead.  Maybe that will stimulate the blogging juices as well.

In the meantime, here is a getting-the-new-year started linkfest of new applications and neat utilities to jump-start the effort to push the GSD post-count for 2011 upward again.

FreeCommander XE Beta now public

FreeCommander remains my #1 top go-to dual-pane file manager.  I’ve tried tons of other file-managers and while there are many great options out there now, IMHO, none come close to the features and flexibility of FreeCommander.  It just works with the way I jockey files all day.

The developer, Marek Jasinski, was kind enough to give me private access to the alpha builds of the next generation of FreeCommander and I have been diligently putting them through the paces.

So it just in the last week or two that he posted the first publically available release of FreeCommander XE.  While it retains the same form and function of FreeCommander, the style has been seriously updated and the fine-tuning control is greatly enhanced.  You can get both the install version or a “portable” zip file version from that page.  Just be aware that it is still clearly a developmental “preview” release so while most of the features will work as planned, you might be a bit frustrated with what still does not if you are a power FreeCommander user.  I’m still not ready to replace the latest stable version of the “old” FreeCommander with this version just yet.  But it is a nice look at what is to come.

Other related tips that might be of use to you if you are both a FC user and a TeraCopy user.

Run Command Links

When I am setting up special purpose XP systems, sometimes I have to make some tweaks to system settings.  Going the long way through menu systems to get to a particular windows is time consuming, so pulling it up via a run line is a big time-saver.  I’ve memorized many of them, but every now and then I can’t recall and Windows doesn’t make it easy to access the commands if you don’t know what they are to start.

Here are three bookmark-worthy resources for just when you need them most (XP/Win7).

VirtualBox 4.0 Final

Oracle has now released the final public release of VirtualBox now sitting at 4.0 - Downloads - VirtualBox.

You can also get it via their ftp page: Index of /virtualbox/

Brett Shavers of WinFE Blog fame recently reminded me of the MobaLiveCD tool.  While not related to VirtualBox, it does provide a clever and portable Qemu package to run virtual sessions of LiveCD’s for down-n-dirty testing.  It worked on my rippin-fast Win7 x64 laptop, but was very, very slow in performance.  So while handy in a portable pinch, it probably isn’t useful for production-level virtualization work.

There is also vbox.me ‘s Portable-VirtualBox project.  As I understand it currently, while there is a v4.0.0 new release support out, Oracle has now required the developer to remove direct inclusions of VirtualBox items from the package, and it is now set up in a manner that first downloads the VBox binaries then unpacks them for the portable setup process. And USB support still is in works as well at the moment.  YMMV.  See also How To Make Portable VirtualBox 4.0 For Windows at addictivetips.com

Network Briefs

Always a great source of personal tippage, TinyApps passed on a lead to the Dualcomm Mini USB Powered 5-Port 10/100 Ethernet Switch TAP.  How cool is this at less than $100? They also offer this larger Dualcomm USB Powered Gigabit Ethernet Switch TAP at a $150 price point.  In both cases Port #1 is mirrored to Port #5.  See also this brief post by George Starcher » Review – DualComm – Ethernet Tap.

Speaking of taps, in a former GSD post on the subject I offered these references:

As such here are some related materials on that subject for future reference when needed.

…But first, read and review this brief TaoSecurity post on SPANs versus Taps: TaoSecurity: Expert Commentary on SPAN and RSPAN Weaknesses

It links to two MOST Excellent articles on the issues of using spanned switch ports for collecting your network capture data, both form Tim O’Neill:

OK, now the linkage on SPAN’ing

And my oldies but goodies favorites:

CDP - What Switch Am I Connected To? and Monitoring Traffic with Span Ports – SynJunkie.  Two really great posts out of series of ones touching on network monitoring, and Cisco switch/router configuration techniques.  I’m singling these out in particular as they are of interest to sysadmin troubleshooting on the network as well as traffic captures.

And recently found this Wireshark Wiki article as well -- CaptureSetup/Ethernet.

Which is neat as I just ordered up some additional reference for the new year: Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide by Laura Chappell, Gerald Combs.  I sooo can’t wait for this one to arrive!

Finally, the Microsoft Network Monitor blog has this new post: Filtering On Timestamps which is good information to know if you prefer Network Monitor or NMcap (CLI) for your traffic capture handling.  Don’t miss the tip link to the online Date format converter page to assist in your conversion work.

Utility Roundup

Via the German blogger Caschy (through Google Translate magic), CopyTrans TuneSwift.  There are more than a few ways to move your iTunes stores from one system/location to another…though they all have their own quirks and shortcomings.

Check out either the CopyTrans Suite of tools or the CopyTrans specific utility as it may have a full-featured backup/transfer/restore solution you are looking for for iTunes/iPod management and recovery.  Currently CopyTrans is being offered for free, but will switch to a pay-version 03/15/2011.  You will need an unlock code so either use the one Caschy has provided on his page or the direct one on this CopyTrans page.

Because I never can remember the conversion rates for bps to Bps to Mbps as I deal with various network bandwidth graphs I’ve settled on Converber Portable over at PortableApps.com to prove me a super-handy tool for all my IT figure conversion needs.  Tip: While it can do so much more, just set the “Category” field to “Computer” to filter down the list of over 1324 various units of measure in 38 categories to just those used in the IT field.  It’s much less overwhelming that way!

ImageX GUI (GImageX) still remains my fav ImageX CLI Gui-based tool for super-fast WIM management.  However, 4SYSOPS recently posted about an alternative ImageX gui manager GDism ELDI v3.0.2. As Michael Pietroforte points out, the strongest feature/drawback might be the fact that it is a Java application so depending on your viewpoint on Java, that may or may not be a good thing.  That said it is a nice alternative. (Note: the CGI ‘avatar’ figure displayed on the ELDI page might be a bit racy for some so depending on policy standards, you may want to check the page out at home first before hitting it from work…just to be safe.)

First there was Orca for picking apart and manipulating MSI packages. Then came InstEd It! which seriously seemed to expand the options available.  Then I really fell in love with the light but perfectly handy (for me) lessmsi tool (still alive and cool). Now comes wind from Kurt Shintaku via his blog post RELEASE: MSI Explorer – Inspection Tool for .MSI installation packages of yet another MSI package inspection/change tool; MSI Explorer coded by Sateesh Arveti.

Ryan at CyberNet News seems to have slowed down on the blogging as well, but his post Stress Test a PC with HeavyLoad offers an additional (portable) freeware tool that can be used to put the heavy on a system for load-testing and performance monitoring.  Don’t forget other beefier tools such as the Phoronix Test Suite and Inquisitor. MakeUseOf blog also offered a while back The 5 Best Free Benchmark Programs for Windows.

See also the JAM Software - FileList CLI tool (freeware) for generating file-lists in a given directory.  Check out the ReadMe for additional CLI arguments.

What the Web Says…

Sometimes you have to go to the Web to find out just what is what and where stuff is ranked.  These were pretty cool finds this past week.

Browserscope - From the web-page “Browserscope is a community-driven project for profiling web browsers. The goals are to foster innovation by tracking browser functionality and to be a resource for web developers.”

namebench - From the project page “It hunts down the fastest DNS servers available for your computer to use. namebench runs a fair and thorough benchmark using your web browser history, tcpdump output, or standardized datasets in order to provide an individualized recommendation.”

See also the super-tiny, fully portable GRC’s DNS Nameserver Performance Benchmark utility for a no-install alternative.

Finally, got an Intel chip-based Windows system? You might want to hop over and try the Intel Driver Update Utility.  Ed Bott gets the hat-tip and has more information on his How to update Intel drivers automatically blog post.  I found a very new wired Ethernet port driver update for my new Laptop.  Please carefully note this one item from the Intel page easily overlooked:

Intel® Wired Networking note: If the Intel Driver Update Utility shows your Intel wired networking product ending in '(OEM)', Intel recommends you use the networking software provided by your computer manufacturer. OEMs may have optimized the drivers for your system.

Happy New Year!

Claus V.